DNS over HTTPS needs to be implemented


  • Banned

    https://www.howtogeek.com/660088/how-to-enable-dns-over-https-in-google-chrome/

    Secure DNS lookups
    Enables DNS over HTTPS. When this feature is enabled, your browser may try to use a secure HTTPS connection to look up the addresses of websites and other web resources. Mac, Windows, Chrome OS, Android
    
    #dns-over-https
    Not available on your platform.
    

    I'm hoping regardless of what goGGles wants for the Linux platform the Vivaldi devs will enable the above.

    modedit changed title to request


  • Moderator

    @AgentX Wait until Vivaldi gets Chromium 81 code base. DoH is experimental yet.
    Oh! You want a feature which is not even implemented on Chrome 81.0.4044.43 Linux? Wait some days…
    Internal 2.12 has got the flag back. But i did no test DoH yet.



  • Wow perfect timing. I was just about to download Vivaldi from the AUR and I thought I would come check out the community first. Ever since this was first being tested in chromium last year I have not gone without this feature. In older chromium versions you could enable it with

    --enable-features="dns-over-https<DoHTrial" --force-fieldtrials="DoHTrial/Group1" --force-fieldtrial-params="DoHTrial.Group1:server/https%3A%2F%2F1.1.1.1%2Fdns-query/method/POST
    

    Then when they rolled it out a few versions later the option was not there for linux so I downgraded my package for a while. Then when Firefox implemented it I was set. Can this not be implemented in Vivaldi? I have heard good things and was looking forward to trying it but I don't want to go backward in security.



  • It doesn't need to be "fixed" - it's just not implemented in Vivaldi yet. And the Chromium implementation relies on directing your DNS queries to either Google or Cloudflare.

    What I don't get is why people overly concerned with some obscure notion of "improved privacy" with DoH would rather trust Google/Cloudflare with their DNS queries than their own ISP... 🙄

    In addition people need to know that even if your DNS query is encrypted, the browser will then make a request to the actual IP, so unless you're also running a trusted VPN/TOR whatever site you're going to is still visible to your ISP...


  • Moderator

    I would suggest a doh-proxy on the Linux instead of using a browser-only implementation.


  • Banned

    This post is deleted!

  • Banned

    @Gwen-Dragon said in DNS over HTTPS needs to be implemented:

    @AgentX Wait until Vivaldi gets Chromium 81 code base. DoH is experimental yet.
    Oh! You want a feature which is not even implemented on Chrome 81.0.4044.43 Linux? Wait some days…
    Internal 2.12 has got the flag back. But i did no test DoH yet.

    It's in Google Chrome 80 according to more than a few sites INCLUDING How-To-Geek.

    @Pathduck said in DNS over HTTPS needs to be implemented:

    It doesn't need to be "fixed" - it's just not implemented in Vivaldi yet.

    You mean it's not impliment in Linux yet. Both the latest Chrome and Vivaldi state quite clearly it's not available for this platform which means the OS. Now if I were you I'd read the third post in this thread.

    On a side we will not be getting into a debate about privacy PERIOD.

    @Gwen-Dragon said in DNS over HTTPS needs to be implemented:

    I would suggest a doh-proxy on the Linux instead of using a browser-only implementation.

    When in the browser I have a VPN in place, and I have the Clouldflare DNS addresses set in my network manager. Would just like another layer of protection.


  • Banned

    This post is deleted!

  • Banned

    This post is deleted!

  • Moderator

    @AgentX said in DNS over HTTPS needs to be implemented:

    Would just like another layer of protection.

    I can understand you want this useful privacy/security protection.



  • For anyone interested, since this morning I learned a much better way to implement dns over https after the suggestion of Gwen-Dragon with a doh-proxy. Cloudflare has a service you can install (cloudflared) that can be configured to run as a doh-proxy. I learned about it from the Pi-hole site from their documentation here: https://docs.pi-hole.net/guides/dns-over-https/
    Rather than what was in their guide I had to install it manually as root and eliminate the cloudflared config file and let it start with all defaults on port 53. (Manjaro) Tested on 1.1.1.1/help and it is all working perfectly. Now I am finally using Vivaldi and I'm already blown away with the speed and customization. Hope this helps someone.


  • Banned

    @grandpajoe said in DNS over HTTPS needs to be implemented:

    For anyone interested, since this morning I learned a much better way to implement dns over https after the suggestion of Gwen-Dragon with a doh-proxy. Cloudflare has a service you can install (cloudflared) that can be configured to run as a doh-proxy. I learned about it from the Pi-hole site from their documentation here: https://docs.pi-hole.net/guides/dns-over-https/
    Rather than what was in their guide I had to install it manually as root and eliminate the cloudflared config file and let it start with all defaults on port 53. (Manjaro) Tested on 1.1.1.1/help and it is all working perfectly. Now I am finally using Vivaldi and I'm already blown away with the speed and customization. Hope this helps someone.

    @Gwen-Dragon feel like weighing in on their post and letting us know if there really is anything to it? Thanks



  • I think the chromium project pushed it back again, to v82. (it was originally planned for v78 and it is present on win10 plaltform)

    Besides cloudflare software, NextDNS has a standalone local doHproxy on github for all platforms.
    I use dnscrypt-proxy, also on github for all platforms.



  • So a https connection is being used as an encapsulation protocol..

    Why would i trust cloudflare or any other resolver over my local dns provider.

    DNS is meant to be a decentralized protocol. Let's keep it that way.
    This kind of tunneling over http of other protocols is further undermining the wide array of protocols in use on the internet. If you don't trust the local network, and you need a server anyway to tunnel through, you may as well use a VPN and cover everything in one go instead of coming up with all sorts of proprietary mechanisms to "work around using one protocol instead of multiple". If you suffer from DNS poisoning, then pick better resolvers to use.

    Centralizing all the DNS requests to one resolver could create a "tracking tap".

    No thank you i shall not use such an implementation.


  • Vivaldi Translator

    @Gwen-Dragon said in DNS over HTTPS needs to be implemented:

    I would suggest a doh-proxy on the Linux instead of using a browser-only implementation.

    Seconded, mightily. I've been running an instance of stubby as a stub resolver feeding dnsmasq on my edge routers both at home and at work for at least a couple of years now and have been rather impressed with how reliably it handles hiccoughs with the upstream servers and very capably masks my traffic from my ISP.

    For those that have consumer network appliances powered by any of the Broadcom chipsets, I can't recommend highly enough a move to the FreshTomato custom firmware which now provides that same stubby+dnsmasq DNS service with just a couple enabled combo boxes on the Settings page.

    @Pathduck said in DNS over HTTPS needs to be implemented:

    ...And the Chromium implementation relies on directing your DNS queries to either Google or Cloudflare.

    What I don't get is why people overly concerned with some obscure notion of "improved privacy" with DoH would rather trust Google/Cloudflare with their DNS queries than their own ISP... 🙄...

    I believe your dismissal of encrypted DNS traffic overlooks at least two very important details.

    • It's not at all true that there are only two (or three, if you throw in Mozilla's in-house implementation) capable services offering either DoT or DoH. If you look here and here you'll see that there are in fact nearly three dozen potential authoritative DNS services available to the public, with only about a dozen of them (those on the first link) coming from major players in the IT services sector. My current configuration file for Stubby takes advantage of eleven of them in a round-robin fashion and my uptime since setting it up is higher than it was when using my ISP's resolvers.

    • As to why someone might prefer to route their DNS queries through anyone but their ISP, one major reason in my (admittedly U.S.-centric) opinion is to avoid getting flagged for DMCA violations that arise from file-sharing and illicit media streaming activities, which always have to funnel through the ISP. As someone who may have engaged in both of those forms of recreation rather vigorously in a past life, I can offer testimony that switching to always-on DoT for every bit of internet traffic instantly ended those troublesome incidents and without the inherent bandwidth bottleneck of even a Wireguard-powered VPN connection.

    I feel much better about spreading my DNS traffic among 10+ different services rather than launching every single packet at a single VPN host, the ultimate behavior of whom all of us simply have to accept on faith and a little awareness of past behavior. Of course this entire discussion is only about a very small and relatively feeble form of information security, but considering how low the time cost of implementation is, I think it's naïve to dismiss it out-of-hand or treat those who want to make use of it like they're misguided or ignorant.



  • @RogueScholar said in DNS over HTTPS needs to be implemented:

    It's not at all true that there are only two (or three, if you throw in Mozilla's in-house implementation) capable services offering either DoT or DoH. If you look here and here you'll see that there are in fact nearly three dozen potential authoritative DNS services available to the public

    Yes, of course there is. But we're talking about the browser here, not implementing it on the network/OS layer which is what you're doing on your systems. Respect to you for doing that by the way, but this is not something most users will be able to of course.

    In-browser DoH is still AFAIK limited to a set of services decided by the browser. I hope that maybe one day Vivaldi will implement DoH in the browser where the user can choose and configure what service to use themselves. Until then I will consider DoH-in-the-browser as just hype from big companies like Google trying to control even more of the world's internet traffic the way they want it.

    one major reason in my (admittedly U.S.-centric) opinion is to avoid getting flagged for DMCA violations that arise from file-sharing and illicit media streaming activities, which always have to funnel through the ISP.

    Yes, but unless you're also running a VPN, they'll still see you connecting out to a number of IPs and ports, and from those alone could still be able to figure out (at least guess) you're running P2P clients, even if they can't see the actual content of the data.

    Then again, a lot of sites, even illicit ones, use CDNs (aka "The Cloud") these days, meaning they will most likely see only a generic IP belonging to AWS, Azure or other big data centres anyway when you visit the site.

    Torrent clients still has to reveal the IP of every connected peer, and DoH won't help squat about that - unless you're also using VPN.

    My point is that DNS resolution should be done on the OS/network level for all applications that request it. DoH in the browser will only lead to a false sense of security as other clients on the system will still send their requests over regular ol' DNS, and the actual network connection will still need to connect to an IP and port which can't be hidden from the ISP.



  • It would seem possible to enable this at the browser level, since Firefox has done this already.

    I plugged everything into a router to try out Cloudflare since my ISP doesn't allow its customers to change the DNS entries in the gateway.

    Although I did not notice any difference via an Ethernet connection, on 2.4GHz WiFi, there was a noticeable increase in download speed, going from 50Mbps (pre-Cloudflare) to 62Mbps (using Cloudflare) with Vivaldi on Android and using the Speed Of Me site. I cannot explain the difference in WiFi speeds, but the speed increase is definitely welcome.


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.